The leaked draft of the ePrivacy Regulation: top 10 points to note

Yesterday (13 December) in time-honoured tradition, a draft proposal of the European Commission’s (EC) new ePrivacy Regulation was leaked. The official draft of the proposal is not expected to be published by the EC until January 2017, and it is possible some of the detail will change before then. Datonomy will be providing fuller analysis of the real thing in the near future, but an initial look at the leaked draft – which (typos aside) gives a good indication of what to expect – reveals the following:

It’s a Regulation rather than a Directive (as predicted by Datonomy here)

As with the GDPR, this is intended to provide additional harmonisation and simplification. However, there are a number of areas where Member States can nuance provisions.

A fining regime similar to GDPR

Offenders can expect turnover based fines. For example, fines of up to 2% of turnover, or up to 10,000,000 EUR, apply to breaches of the cookie rules and up to 4% of turnover, or up to 20,000,000 EUR, for breaches of security related rules. Member States will have the ability to lay down their own rules for infringements of direct marketing rules.

Extra-territorial effect

The Regulation will apply to electronic communications data processed in connection with the provision and use of electronic communications services to end users in the EU regardless of whether the processing takes place in the EU.

Focus on Over The Top (OTT) providers

As suggested by the recent EC consultation, the scope of the legislation is updated and extended to cover not only publicly available electronic communication services but also OTT services, such as unmanaged VoIP, instant messaging, web mail and social media messaging. This will ensure that the protection of confidentiality is guaranteed, irrespective of the technological medium chosen.

Application to machine-to-machine communication (IoT)

The draft signifies the potential for the new Regulation to apply to machine-to-machine communication, should the information or metadata exchanged between two devices be deemed to contain personal data.

eMarketing and consent rules

A soft opt-in remains for direct marketing, provided users are “clearly and distinctly” given the chance to object. In all other circumstances prior opt-in consent is required. “Consent” is as defined in the GDPR.

“Direct marketing communication” is widely defined to include “any form of advertising whether written or oral sent to one or more identified or identifiable end-users of e-communications services”. E-mail, SMS and automated calls are expressly included in the body of the Regulation, and the recitals indicate that the Regulation seeks to future proof the rules by also covering instant messaging and MMS. Banner advertising is not however specifically mentioned, so this remains unclear for now.

B2B marketing rules

The opt-in is to be extended to include commercial communications sent for direct marketing purposes to business end-users.

Changes to cookie consent rules

Cookie consent rules (and their practical application) have been an area of controversy under the current PEC Directive. There are various new provisions around cookies:

The draft proposes that prior consent will be required;

“Consent” must meet the new higher requirements of the GDPR in order to be valid;

Consent can be withdrawn at any time and on periodic intervals of 6 months;

The new rules expressly provide for the use of browser settings to express consent “where technically possible and effective”. In order to be valid, browser settings should require an affirmative action from the user to signify such consent, which should be prompted at the moment of first use of the software;

Cookies which are “necessary” for the provision of information society services e.g. to add items to a shopping cart and/ or first party analytics would not require consent;

Cookie rules will be extended to fingerprinting.

Privacy by design

There are privacy by design obligations on providers of terminal equipment and software to block third party cookies by default if there is no active choice by the user.

Compensationclaims

In line with the GDPR, end-users will have the right to compensation for material or non-material damage as a result of breaches of the rules, along with the right to lodge a complaint with their national regulator. Not for profit consumer bodies will be able to make complaints and seek compensation on individuals’ behalf.

Comment and what to expect next

The draft of the new ePrivacy Regulation, which is part of the EC’s Digital Single Market package, has been expected for some time. The EC consulted on the reforms between April and July this year – see our coverage here. The EC has an ambitious timetable for bringing the new legislation into force (by May 2018 in line with the GDPR), given that the formal legislative process has not even begun. The draft Regulation suggests there would only be a six month lead in period from the date of formal adoption. Datonomy will be providing fuller analysis of the proposal, and tracking progress through the Brussels legislature, in the New Year.

Other contributors: Elle Todd, Olswang head of Digital and Data, and Claire Walker, Olswang head of Client Knowledge.